Jenkins Job Import Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins
Moderate severity
GitHub Reviewed
Published
Oct 19, 2022
to the GitHub Advisory Database
•
Updated Jan 4, 2024
Package
Affected versions
<= 3.5
Patched versions
3.6
Description
Published by the National Vulnerability Database
Oct 19, 2022
Published to the GitHub Advisory Database
Oct 19, 2022
Reviewed
Oct 19, 2022
Last updated
Jan 4, 2024
Jenkins Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in Job Import Plugin 3.6 requires Job Import/Import Jobs permission.
References